wap_digger自动进行交换提取工具
swap_digger是一个bash脚本,用于自动化Linux交换分析,用于后期开发或取证目的。它自动为Linux用户凭证、网络表单凭证、网络表单电子邮件、超文本传输协议基本身份验证、SSID和密钥等进行交换提取和搜索。
下载并运行该工具
在你的机器上
使用以下命令在您的计算机上下载并运行脚本:
root@kali:~# git clone https://github.com/sevagas/swap_digger.git
正克隆到 ‘swap_digger’…
remote: Enumerating objects: 117, done.
remote: Total 117 (delta 0), reused 0 (delta 0), pack-reused 117
接收对象中: 100% (117/117), 342.53 KiB | 29.00 KiB/s, 完成.
处理 delta 中: 100% (54/54), 完成.
root@kali:~# cd swap_digger/
root@kali:~/swap_digger# chmod +x swap_digger.sh
root@kali:~/swap_digger# sudo ./swap_digger.sh -vx # # #以root运行此脚本
安装在硬盘上
要在已安装的硬盘上使用swap_digger,请执行以下操作:
首先,使用以下命令下载脚本:
alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.git
alice@1nvuln3r4bl3:~$ cd swap_digger
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh
然后,使用以下命令找到目标交换文件/分区:
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -S
最后,通过运行以下命令来分析目标:
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/device
在第三方机器上
使用以下命令在第三方机器上下载并运行脚本(对pentests和CTF有用):
alice@1nvuln3r4bl3:~$ wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.sh
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx
注意:使用-c选项自动删除swap_digger创建的目录(/tmp/swap_dig)
简单运行:
如果您只需要恢复明文的Linux用户密码,只需运行:
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh
可用选项:可使用-h查看
./swap_digger.sh [ OPTIONS ]
Options :
-x, --extended Run Extended tests on the target swap to retrieve other interesting data
(web passwords, emails, wifi creds, most accessed urls, etc)
-g, --guessing Try to guess potential passwords based on observations and stats
Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
-h, --help Display this help.
-v, --verbose Verbose mode.
-l, --log Log all outputs in a log file (protected inside the generated working directory).
-c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
-r PATH, --root-path=PATH Location of the target file-system root (default value is /)
Change this value for forensic analysis when target is a mounted file system.
This option has to be used along the -s option to indicate path to swap device.
-s PATH, --swap-path=PATH Location of swap device or swap dump to analyse
Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
This option should be used with the -r option where at least //etc/shadow exists.
-S, --swap-search Search for all available swap devices (use for forensics).
寻找模式:
有些模式很容易找到。例如,如果您想搜索网络密码,您可以使用:
# strings <swap_device> | grep "&password="
如果您想搜索网络输入的电子邮件,您可以使用:
# strings <swap_device> | grep -i 'email=' | grep @ | uniq
存在明文密码与存储器中的散列密码
# strings <swap_device> | grep -C 50 <hashed_password> | grep <clear_text_password>
相关资料博文
参考:http://blog.sevagas.com/?Digging-passwords-in-Linux-swap